VLAN not working what am I doing wrong

xokia

@Jarhead I "think" I did but I dont know if I did it correct.

WAN->pfsense vnet0->mokerlink 2.5g port 6->10gig port (upstairs port 9) ->mokerlink 10gig port (downstairs port 9)-> 2.5g port port 8-> tplink 1g port1->TPlink port 6 ->Lorex NVR-> 8 wired POE IP cameras

upstairs mokerlink switch

Downstairs mokerlink switch

TPLink

Jarhead

@xokia That looks better.
Still not working?

Correction, the TP Link should have port 6 as untagged with vlan 23.

xokia

@Jarhead
I'll try that

edit still not working

Do I need to have PVID set?

johnpoz

@xokia Yes you need a pvid set on the port your going to connect a device that you want to me in vlan 23... Because its not going to be tagging traffic so how would the switch know what vlan the traffic is suppose to be in.

You understand your cameras are not going to get IPs from this vlan 23 right... Just your NVR..

xokia

@johnpoz said in VLAN not working what am I doing wrong:

@xokia Yes you need a pvid set on the port your going to connect a device that you want to me in vlan 23... Because its not going to be tagging traffic so how would the switch know what vlan the traffic is suppose to be in.

You understand your cameras are not going to get IPs from this vlan 23 right... Just your NVR..

I tried setting port 6 of the TPLINK to PVID=23 still didnt work. Probably something I am missing but I haven't figuring it out.

Yes I know the IP cameras do not get the IP address from the VLAN they get it from the NVR DHCP. The IP cameras are 10.1.blah . With the current config they work with Alexa and I can ask to see a specific cam on a echo show. The NVR gets its IP from the 192.168.3.1 DHCP server currently. I'd like to move it to the VLAN 192.168.3.60 DHCP server.

The NVR was just a test subject since it needed to be routed through several switches. I thought it would be a good test case to learn. I was going to take a laptop statically assign the IP and try pinging 192.168.60.1 from port 6 of the TPLINK which should be the VLAN DHCP server. Running out of ideas though.

I am going on vacation tomorrow for 2 weeks so will probably skip the VLAN until I return. If you guys see something I did wrong please call it. I'll have to tackle when I return

johnpoz

@xokia it doesn't matter how many switch you put in line..

network --- 1U,23T -- switch -- 23U -- device.

if you add another switch..

network --- 1U,23T -- switch1 -- 1U,23T -- switch2 -- 23U -- device.

Both ports that connect your 2 switch would both be set 1UP,23T

Where 1 is the PVID for the ports that connect switch1 and 2. Only the end device, your nvr in this case would the port be set for 23UP (untagged pvid).

That tplink I showed, that is the 3 switch in a daisy chain.. I have this

pfsense -- sg300-28 -- sg300-10 -- tplink

Well I also have a sg250-8 that hangs off the sg300-28 as well. You can carry as many vlans you want between the switches or to a downstream switch.. My sg250 hanging off the 28, is only subset of my vlans. And its management IP is actually on a different vlan than my other switches... Its on my 192.168.200 vlan, while my sg300 management is on my vlan 9 (untagged lan port on pfsense)..

But to this sg250 switch it thinks this 192.168.200 vlan of mine is vlan 1.. Same with my tplink it puts untagged traffic it sees coming into its port that connects it the network as its vlan 1.. While my other sg300 switches the default vlan for it (untagged) is vlan 9.

You can only ever have 1 untagged network on a port.. If you carry more than 1 network, the other networks have to be tagged. You could also tag all of them if you wanted if they are just uplinks between switches. But normally vlan 1, ie the switches default vlan is never tagged.

If you are running dhcp on this vlan 23 of yours.. If you were setup correctly then any dhcp device you plug into your last port in the line of switches where 23 is untagged then it would get an IP from pfsense dhcpd for vlan 23.

xokia

@johnpoz said in VLAN not working what am I doing wrong:

network --- 1U,23T -- switch1 -- 1U,23T -- switch2 -- 23U -- device.

If you are running dhcp on this vlan 23 of yours.. If you were setup correctly then any dhcp device you plug into your last port in the line of switches where 23 is untagged then it would get an IP from pfsense dhcpd for vlan 23.

I think I have this unless I am missing something.

johnpoz

@xokia well if you plug a device into your last switch in your lines port that is 23 untagged, or as cisco calls them an access port. And you don't get an IP from your dhcpd running on your vlan23 on pfsense, then yeah your missing something.

If you create a port on your first switch in your line that is in 23 UP (untagged, pvid) does it get an IP from dhcp? If so then do the same test on your 2nd switch in your line.. etc..

You mention your pfsense on VM, you sure its not stripping the tags? Been a while since I Played with proxmox - but VM software normally have to be setup to either not strip tags or put specific port groups or vswitches into specific vlan.. With esxi, I know you need to set the vswitch to vlan ID 4095 I think so that it doesn't strip tags.

I would test with that first switch coming off your proxmox -- put a port in 23UP, does it get dhcp from pfsense from vlan 23?

xokia

@johnpoz I can ping 192.168.60.1 from my desktop that is connected to the same mokerlink switch as the pfsense router running the VLAN. (Desktop IP is in the 192.168.3.x range)

The moment I set port 9 to VLAN tagged 23 I can no longer ping 192.168.60.1. If I set just port 6 (this is the port pfsense is connected to) to VLAN Tagged 23 I can still ping 192.168.3.60 if I touch port 9 I am hosed.

I have the mokerlink 9 port managed switch. Port 9 has a 10gig SFP+ module in it. Port 9 on these 2 switches connect my upstairs to downstairs using 10G SFP+ modules.

Maybe I can try skipping the SFP+ module and try it with one of the 2.5G ports. Maybe there is some issue with the SFP+ module? I assume the SPF+ is just a phy and the management is done in the link or protocol layer.

xokia

I can confirm setting it up on just the first switch in the chain works and DHCP pulls the correct IP. Passing it to the next switch seems to be the issue.

johnpoz

@xokia said in VLAN not working what am I doing wrong:

The moment I set port 9 to VLAN tagged 23

Is that your first switch? where is the port you put in 23 untagged that your connecting your laptop?

This is how it should look for testing...

Move your laptop to the different switches you run this 23 vlan through.. I take it vlan 23 is 192.168.3 on pfsense.. Your devices should pull a dhcp address from your dhcpd running on pfsense.

U = Untagged
P = PVID
T = Tagged.

xokia

@johnpoz

What software are you using to draw that? Maybe I can use the same to make it easier to understand. I do have Visio but don’t have the fancy pics that I’m aware of.

For the working case yes the first switch in the chain works as expected with VLAN passing it from switch 1 to switch 2 seems to be where things stop working. Port 9 on both switches is what’s used to pass data from one switch to the other.

Local network: 192.168.3.1
VLAN network: 192.168.60.1

I’m on my way to Cancun will be back next week to tackle this again. So delayed response. Thanks for the help folks.

johnpoz

@xokia Just an old copy of visio.. 2007 ;) Still works!! heheeh

I use the latest and greatest for work, but my home pc I just have the old version.

xokia

@johnpoz

Same for me. Whatever the last version they didn’t require a yearly payment that’s the version I have at home. I’ll poke around when I get back from Cancun and see if it has a network plugin if not I’m sure I could draw up something basic.